Closed
Bug 411209
Opened 17 years ago
Closed 17 years ago
HTML attachments can be used to hijack Bugzilla sessions via XSS
Categories
(Bugzilla :: Attachments & Requests, defect)
Bugzilla
Attachments & Requests
Tracking
()
People
(Reporter: mozilla, Unassigned)
Details
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us) AppleWebKit/523.10.6 (KHTML, like Gecko) Version/3.0.4 Safari/523.10.6
Build Identifier:
Attachments can contain malicious scripts, or source in scripts from other domains that may later become malicious. By creating a malicious attachment, an attacker
Reproducible: Always
Steps to Reproduce:
1. Visit http://crypto.stanford.edu/~collinj/research/bugzilla/xss/
Actual Results:
Your Bugzilla session cookie is alerted
Expected Results:
Malicious page is not able to steal your Bugzilla cookie
|
||
Updated•17 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
|
Reporter | |
Comment 2•17 years ago
|
||
|
||
Updated•16 years ago
|
Group: webtools-security → bugzilla-security
|
|
||
Updated•16 years ago
|
Group: bugzilla-security → webtools-security
|
|
||
Updated•16 years ago
|
Group: webtools-security → bugzilla-security
|
||
Comment 3•16 years ago
|
||
This bug is being removed from the security group because the bug that it is a duplicate of is now public, since it has been fixed and a Security Advisory has been sent about it. See bug 468249 for the Security Advisory.
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•